Microsoft’s April 2022 Patch Tuesday Addresses Two Zero-Day Vulnerabilities

Microsoft has released more than 100 security solutions for critical software solutions, including two zero-days.

In the latest batch of patches from the Redmond giant, which is usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed issues including numerous remote code execution (RCE) bugs, abuse of privilege, denial of service, information leaks, and spoofing. A total of 10 vulnerabilities are classified as critical.

Products affected by the April security update include the Windows operating system, Microsoft Office, Dynamics, Edge, Hyper-V, File Server, Skype for Business, and Windows SMB.

read more

The zero-day vulnerabilities fixed in this update are:

  • CVE-2022-26904: This known zero-day flaw affects the Windows User Profile Service and is described as an EoP vulnerability. The bug has been given a CVSS severity rating of 7.0 and the complexity of the attack is considered “high” because “to successfully exploit this vulnerability, an attacker must win a race condition,” according to Microsoft.
  • CVE-2022-24521: This bug is another EoP issue found in the Windows Common Log File System driver. Microsoft issued a CVSS score of 7.8 and says the complexity of the attacks is low and the company has detected active exploitation, despite the flaw not being made public so far.

Two other vulnerabilities, CVE-2022-26809 and CVE-2022-24491, are also of concern. Affecting Remote Procedure Call Runtime and the Windows Network File System, these vulnerabilities have earned CVSS scores of 9.8 and can be exploited by malicious people to trigger RCE.

According to the Zero Day Initiative (ZDI), the patch volume is comparable to Q1 2021.

Last month, Microsoft fixed 71 vulnerabilities in March’s suite of security fixes. Among the bugs addressed are CVE-2022-22006 and CVE-2022-24501, the only two critical bugs that have been patched. In February, Microsoft patched 48 vulnerabilities, including one zero-day vulnerability.

In other Microsoft news, the tech giant is planning a change that could spell the end of Patch Tuesday as we know it. Dubbed Windows Autopatch, the automatic Windows and Office software update service will be rolled out to enterprise customers to ensure they have faster access to security solutions, rather than waiting for one monthly update – excluding out-of-schedule emergencies. fall releases.

Windows Autopatch is scheduled for release in July 2022.

Read more: Microsoft: Windows Autopatch is coming. This is what you need to know

In addition to Microsoft’s Patch Tuesday roundup, other vendors have also published security updates that can be accessed below.

Leave a Comment